SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

151

152

153

154

155

156

157

158

159

160

The user super.super can execute any client mode commands for all users unless explicitly configured in the

OBJECTTYPE USER with DENY Create authority. The parameter sets FULLSSHCOMACCESSUSER<i>

and

FULLSSHCOMACCESSGROUP<j> are ignored.

If a person wants to execute an SSHCOM CLIENT MODE command affecting records for a specific Guardian user or

alias <user-or-alias> must either be logged on as <user-or-alias> or meet these two qualifications:

• Have CREATE (C) authority on the OBJECTTYPE USER access control list

• Be the owner of the underlying Safeguard user ID of <user-or-alias> or be the group manager of the owner of

the underlying Safeguard user ID of <user-or-alias>

SSHCOM Access Summary

Shortcuts used in the following table:

• 'SUPER' - SUPER.SUPER

• 'OU' - OBJECTTYPE USER

• 'OUR' - OBJECTTYPE USER RECORD

• 'FullSA' - FULLSSHCOMACCESSUSERi/GROUPj

• 'PartialSA' - PARTIALSSHCOMACCESSUSERk/GROUPn

User is

'SUPER'

(Yes/No)

Thawed 'OU'

exists

(Yes/No)

User configured in

'OUR'

(No / Create /

DENY Create /

Not Applicable)

User included in

'FullSA'

configuration

(Yes / No / Not

Applicable)

User included in

'PartialSA'

configuration

(Yes/No)

Allowed USER Commands

(All / Alter&Info / None)

Yes No N/A N/A N/A All

Yes Yes No N/A N/A All

Yes Yes Create N/A N/A All

Yes Yes DENY Create N/A No None

Yes Yes DENY Create N/A Yes Alter&Info

No No N/A No No None

No No N/A No Yes Alter&Info

No No N/A Yes N/A All

No Yes No N/A No None

No Yes No N/A Yes Alter&Info

No Yes Create N/A N/A All

No Yes DENY Create N/A No None

No Yes DENY Create N/A Yes Alter&Info

Ownership and Management of Client Mode Entities

In release 89 a finer granularity for access and administration of mode client records was introduced. In previous releases

client mode records were owned by a Guardian user identifier. Even when logged on as alias the underlying Guardian

identifier was used to add and retrieve KEY, PASSWORD and KNOWNHOST records. The philosophy behind this

assumed that one person used a specific Guardian user identifier as well as the configured aliases for that Guardian user

identifier. This approach is consistent with the general security on NonStop (ACL, file security, etc.), which is based on

the Guardian user identifier.

HP NonStop SSH Reference Manual SSHCOM Command Reference • 157